SlideShare a Scribd company logo

Hacktive Directory Forensics - HackCon18, Oslo

Yossi Sassi
Yossi Sassi

Slides from the session 'Hacktive Directory Forensics - a toolset for understanding who|what|when on your domain - HACKCON 2023 by Yossi Sassi

Technology
1 of 53
Download to read offline
hAcktive Directory Forensics: a toolkit for understanding who|what|when in your domain Yossi Sassi
WhoAmI • InfoSec Researcher; H@‫כ‬k3r (1nTh35h311) • Red mind, Blue heart • Co-Founder @ • Consulting in 4 continents (Banks/gov/F100) • 30+ years of keyboard access – Code, IT Sec, Net Comms. • ~25 years of AD expertise; Ex-Javelin Networks (Acquired by Symantec) • Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools) • Aviator; Volunteer (Youth at risk); Oriental Rock Bouzoukitarist
ChatGPT was Not used in the making of this presentation, code & content
Incorrect
2nd attempt, after feedback: again, still – Incorrect
• ‘Hacktive Directory’ 101 • Sources of “Truth” in AD • A set of tools for Pre, During and Post AD Breach • Attributes of interest: Blue Team tips What we’ll talk about
‘Hacktive Directory’ 101
Why hack AD? Why is AD so ‘Hackable’? • a bit like what happened with TCP/IP… – Great success, super popular – …Yet architecture & design goals very far from modern landscape and threats • Involved in every huge breach (as well as smaller ones ☺) – Lion (2020), NTT (2020), Baltimore (2019), Norsk Hydro (2019), Singhealth (2018), MAERSK (2017), SONY (2014), Target (2013), many others.. • “The Microsoft Mainframe” – It’s not going away! • Compromising your AD means GAME OVER.
Windows/AD 101 • AuthN protocols (NTLM, Kerberos, LDAP/S) and “Secrets” (Hashes/ntlm, Tickets, caching, certificates…) • Logon vs. Authentication (Local vs. Domain, logon types…) • Security Principals (Users, Computers, Groups) • Authorization / ACLs – going beyond group membership(s) • e.g. direct SID assignment, ObjectAccess types etc • Process, Threads, handles, access tokens, logon sessions etc’
11 PAC
12 AdminSDHolder
15 Protocol and Port AD and AD DS Usage Type of traffic TCP 25 Replication SMTP TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS TCP 135 Replication RPC, EPM TCP 137 NetBIOS Name resolution NetBIOS Name resolution TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMBv1/2/3, CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP 9389 AD DS Web Services SOAP TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password UDP 123 Windows Time, Trusts Windows Time UDP 137 User and Computer Authentication NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service, but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE TCP & UDP 1024-5000; 49152-65535 Ongoing (RPC etc’) RPC / DCOM / WMI... TCP 593 DCOM/Messaging/Exchange RPC over HTTP
“Confusing” architectural recommendations • 90’s (The NT4 days): The more Domains – the better! • NT4 to NT5 -> Your opportunity to Consolidate domains! • Domain is NOT a security boundary! –> Separate into Forests, with trusts. • Trusts are bad as well (one/bi-directional, FPs, SidFiltering, sidHistory…) • ESAE, aka “Red Forest” (Costly! & doesn’t play well with cloud) * • Admin Tier Model • Forget the costly & complex ‘Red Forest’ -> Privileged Access * Still useful for isolated environments, e.g., offline R&D or disconnected OT/Scada environments
Sources of “Truth” in AD
• Sysvol/Files vs. ETW/Event Logs vs. pcap/”hooks” • Possible Scenarios – – No logs (Not collected/Not enough retention/Wiped by ransom) – No Online DCs (encrypted/offline VMs -> Just backups…) • Still, we want to know who did what & when • NTDS.dit • replPropertyMetadata HacKtive Directory: Sources of “Truth”
NTDS.dit
single-value attribute: msDS-ReplAttributeMetaData multi-value attribute: msDS-ReplValueMetaData
Where is this msds-Repl* ??!
Wouldn’t it be nice…
More Tools for Pre, During & Post AD Breach
Get-LDAPperformance Identifying Unusual and/or Large LDAP Queries • Collects LDAP Query Performance Events and analyzes them to CSV & Grid (relays on event ID 1644) • Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization • No Dependencies, No modules required. Requires ‘Event Log Readers’ permission or equivalent (to 'directory Services' log) • Some pre-requisites needed from AD side, enable relevant auditing and set registry key
LDAP performance
Domain Privilege Escalation Pass the hash, golden ticket etc.
Kerberos ‘refresher’
Golden Ticket = Game Over •krbtgt password hash compromise -> Privileged Persistence via Offline TGT forging •Krbtgt hash can be obtained in several ways: • Unauthorized AD Replication (DCSync/DCShadow) • Copy of AD Database or Backup (NTDS.dit + system registry) • Stolen from lsass/DC Memory (any RW DC, Not RODC) •Attack can occur in multiple ways & tools (e.g. mimikatz, with AES 256-bit hash, for 10 hours only etc’)
Invoke-PostKrbtgtResetMonitor • Centralized detection of Golden Tickets via anomalous kerberos tickets detection AFTER resetting the krbtgt password TWICE • No Dependencies/modules. Requires ‘Event Log Readers’ or equivalent
Golden Ticket Monitor
GoldFinger • Collects, Analyzes & Hunts for Suspicious TGTs • Detects suspicious TGTs on domain EndPoints in real-time • Potential Pass-The-Hash • Potential Golden ticket • No agent – works with WinRM or SMB (PaExec) • No dependencies, no external modules (just .ps1) • Research done to handle multiple anomalies • Logon Session User != Ticket Client Name <Strong indication>, Ticket Lifetime != Expected Lifetime <Default 10 hours>, Ticket Renewal Length != Expected Renewal Length <Default 7 days>, KDC called is empty, and DNSHostName is different than the current computer name, Encryption Type != aes256_cts_hmac_sha1_96 <rc4 is common for inter-forest/domain tickets>, Endcoded Ticket Size, Session Logon Type is CachedInterative <potential to some False Positive>, etc’
GoldFinger (Cont.) •Requires Local Admin permissions on EndPoints •Supports running against different domains •Supports running on entire domain (default), or just a specific computer(s), or Exclude specific computer(s) •Can optionally enable PSRemoting (and try to start WinRM on EndPoints) •Fixes clock skew issues, while at it •.. And more ☺ • Collector script heavily based on work by Jared Atkinson (@jaredcatkinson) & Matthew Graeber (@mattifestation)
Hunting for PTH/Golden Tickets
Possible ‘detections’ by EPP
Invoke-TgsMonitor • Monitor TGS requests (All, or just Failed ones, with Error Code reasons) • Useful during a live IR without other central threat hunting log solution, or in general, to monitor access & failure reasons • No Dependencies, no modules • Can also generate a 'real-time monitor' with a table containing the TGS events for a specific user or computer, or status/category: while ($true) {$x=cat .TGSMonitor.csv | ConvertFrom-Csv; cls;$x| ? account -like "*yossis*" | ft -AutoSize; sleep 1}
TGS Monitor
Attributes of interest: Blue Team tips
Attributes of interest - Examples • Counter attributes: LogonCount, badPwdCount… • “Per DC” attributes, e.g. LastLogon • LogonWorkstations
Why “living off the land” is important for Defenders
“Small step for IT, Giant step against Lateral Movement” • No EDR • No segmentation • No firwewalls config • No MFA • All the misconfigurations you can think of … • No proper auditing/SIEM/SOC … and yet ☺
LogonWorkstations
TimeLineGenerator • AD account timeline generator - parse DC security logs & export activity timeline • Can run directly on Domain Controllers (Live, through WinRM), OR - specify Path to Evtx files • Can run a Full/Longer report, or a Focused/Quicker one, with a select set of events to filter. Default: "Focused-Quicker" • Can set the Max Events to fetch Per DC (limit to the last X events from the log, for performance). Default: gets all events
48 TimeLine Generator
LogonWorkstations reflected through TimeLine Generator
Open Source Tools & Scripts HacktiveDirectory.com
Key Takeaways • ‘Hacktive Directory’ is here to stay! In-depth knowledge is key • Invest in a “living off the land” mindset – a simple configuration can go further than few expensive vendor products ☺ • Understand the Sources of “Truth" in AD • ‘Hacktive Directory’ forensics are a part of a wider picture – Event correlation & Threat hunting with high-fidelity alerts • Practice a Before, During & After approach • Check out hacktivedirectory.com or github.com/YossiSassi for code & scripts - Comments and improvements are welcome!
Everything is a set of nested ‘if’ statements
Takk! Yossi_Sassi yossis@protonmail.com

Recommended

Encryption and Masking for Sensitive Apache Spark Analytics Addressing CCPA a...
Encryption and Masking for Sensitive Apache Spark Analytics Addressing CCPA a...Encryption and Masking for Sensitive Apache Spark Analytics Addressing CCPA a...
Encryption and Masking for Sensitive Apache Spark Analytics Addressing CCPA a...
Databricks
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
ScyllaDB
 
Spark, ou comment traiter des données à la vitesse de l'éclair
Spark, ou comment traiter des données à la vitesse de l'éclairSpark, ou comment traiter des données à la vitesse de l'éclair
Spark, ou comment traiter des données à la vitesse de l'éclair
Alexis Seigneurin
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
MITRE - ATT&CKcon
 
Building Robust ETL Pipelines with Apache Spark
Building Robust ETL Pipelines with Apache SparkBuilding Robust ETL Pipelines with Apache Spark
Building Robust ETL Pipelines with Apache Spark
Databricks
 
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Databricks
 
Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP
vinoth kumar
 
Neo4j GraphTour Santa Monica 2019 - Amundsen Presentation
Neo4j GraphTour Santa Monica 2019 - Amundsen PresentationNeo4j GraphTour Santa Monica 2019 - Amundsen Presentation
Neo4j GraphTour Santa Monica 2019 - Amundsen Presentation
TamikaTannis
 

Recommended

Encryption and Masking for Sensitive Apache Spark Analytics Addressing CCPA a...
Encryption and Masking for Sensitive Apache Spark Analytics Addressing CCPA a...Encryption and Masking for Sensitive Apache Spark Analytics Addressing CCPA a...
Encryption and Masking for Sensitive Apache Spark Analytics Addressing CCPA a...
Databricks
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
ScyllaDB
 
Spark, ou comment traiter des données à la vitesse de l'éclair
Spark, ou comment traiter des données à la vitesse de l'éclairSpark, ou comment traiter des données à la vitesse de l'éclair
Spark, ou comment traiter des données à la vitesse de l'éclair
Alexis Seigneurin
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
MITRE - ATT&CKcon
 
Building Robust ETL Pipelines with Apache Spark
Building Robust ETL Pipelines with Apache SparkBuilding Robust ETL Pipelines with Apache Spark
Building Robust ETL Pipelines with Apache Spark
Databricks
 
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Running Apache Spark on a High-Performance Cluster Using RDMA and NVMe Flash ...
Databricks
 
Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP Introduction to Bigdata and HADOOP
Introduction to Bigdata and HADOOP
vinoth kumar
 
Neo4j GraphTour Santa Monica 2019 - Amundsen Presentation
Neo4j GraphTour Santa Monica 2019 - Amundsen PresentationNeo4j GraphTour Santa Monica 2019 - Amundsen Presentation
Neo4j GraphTour Santa Monica 2019 - Amundsen Presentation
TamikaTannis
 
サーバーサイドでの非同期処理で色々やったよ
サーバーサイドでの非同期処理で色々やったよサーバーサイドでの非同期処理で色々やったよ
サーバーサイドでの非同期処理で色々やったよ
koji lin
 
elasticsearch-hadoopをつかってごにょごにょしてみる
elasticsearch-hadoopをつかってごにょごにょしてみるelasticsearch-hadoopをつかってごにょごにょしてみる
elasticsearch-hadoopをつかってごにょごにょしてみるKatsushi Yamashita
 
ストリームデータ分散処理基盤Storm
ストリームデータ分散処理基盤Stormストリームデータ分散処理基盤Storm
ストリームデータ分散処理基盤Storm
NTT DATA OSS Professional Services
 
Understanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage EngineUnderstanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage Engine
InfluxData
 
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...Insight Technology, Inc.
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Apache Spark Core
Apache Spark CoreApache Spark Core
Apache Spark Core
Girish Khanzode
 
Introduction to Spark Internals
Introduction to Spark InternalsIntroduction to Spark Internals
Introduction to Spark Internals
Pietro Michiardi
 
Cloud Computing - ISO/IEC 17788
Cloud Computing - ISO/IEC 17788Cloud Computing - ISO/IEC 17788
Cloud Computing - ISO/IEC 17788
Hamid Reza Qavami
 
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
Yoshiyasu SAEKI
 
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
NTT DATA Technology & Innovation
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
Homeland Security Research Corp.
 
Apache Hiveの今とこれから
Apache Hiveの今とこれからApache Hiveの今とこれから
Apache Hiveの今とこれから
Yifeng Jiang
 
Yahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo! JAPANにおけるApache Cassandraへの取り組みYahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo!デベロッパーネットワーク
 
Big Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon GershinskyBig Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon Gershinsky
GidonGershinsky
 
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
hamaken
 
Introduction to RDFa
Introduction to RDFaIntroduction to RDFa
Introduction to RDFa
Ivan Herman
 
Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
Joel Lathrop
 
VLDB2015 会議報告
VLDB2015 会議報告VLDB2015 会議報告
VLDB2015 会議報告
Yuto Hayamizu
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 

More Related Content

What's hot

サーバーサイドでの非同期処理で色々やったよ
サーバーサイドでの非同期処理で色々やったよサーバーサイドでの非同期処理で色々やったよ
サーバーサイドでの非同期処理で色々やったよ
koji lin
 
elasticsearch-hadoopをつかってごにょごにょしてみる
elasticsearch-hadoopをつかってごにょごにょしてみるelasticsearch-hadoopをつかってごにょごにょしてみる
elasticsearch-hadoopをつかってごにょごにょしてみるKatsushi Yamashita
 
ストリームデータ分散処理基盤Storm
ストリームデータ分散処理基盤Stormストリームデータ分散処理基盤Storm
ストリームデータ分散処理基盤Storm
NTT DATA OSS Professional Services
 
Understanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage EngineUnderstanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage Engine
InfluxData
 
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...Insight Technology, Inc.
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Apache Spark Core
Apache Spark CoreApache Spark Core
Apache Spark Core
Girish Khanzode
 
Introduction to Spark Internals
Introduction to Spark InternalsIntroduction to Spark Internals
Introduction to Spark Internals
Pietro Michiardi
 
Cloud Computing - ISO/IEC 17788
Cloud Computing - ISO/IEC 17788Cloud Computing - ISO/IEC 17788
Cloud Computing - ISO/IEC 17788
Hamid Reza Qavami
 
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
Yoshiyasu SAEKI
 
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
NTT DATA Technology & Innovation
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
Homeland Security Research Corp.
 
Apache Hiveの今とこれから
Apache Hiveの今とこれからApache Hiveの今とこれから
Apache Hiveの今とこれから
Yifeng Jiang
 
Yahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo! JAPANにおけるApache Cassandraへの取り組みYahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo!デベロッパーネットワーク
 
Big Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon GershinskyBig Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon Gershinsky
GidonGershinsky
 
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
hamaken
 
Introduction to RDFa
Introduction to RDFaIntroduction to RDFa
Introduction to RDFa
Ivan Herman
 
Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
Joel Lathrop
 
VLDB2015 会議報告
VLDB2015 会議報告VLDB2015 会議報告
VLDB2015 会議報告
Yuto Hayamizu
 

What's hot (20)

サーバーサイドでの非同期処理で色々やったよ
サーバーサイドでの非同期処理で色々やったよサーバーサイドでの非同期処理で色々やったよ
サーバーサイドでの非同期処理で色々やったよ
 
elasticsearch-hadoopをつかってごにょごにょしてみる
elasticsearch-hadoopをつかってごにょごにょしてみるelasticsearch-hadoopをつかってごにょごにょしてみる
elasticsearch-hadoopをつかってごにょごにょしてみる
 
ストリームデータ分散処理基盤Storm
ストリームデータ分散処理基盤Stormストリームデータ分散処理基盤Storm
ストリームデータ分散処理基盤Storm
 
Understanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage EngineUnderstanding InfluxDB’s New Storage Engine
Understanding InfluxDB’s New Storage Engine
 
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Apache Spark Core
Apache Spark CoreApache Spark Core
Apache Spark Core
 
Introduction to Spark Internals
Introduction to Spark InternalsIntroduction to Spark Internals
Introduction to Spark Internals
 
Cloud Computing - ISO/IEC 17788
Cloud Computing - ISO/IEC 17788Cloud Computing - ISO/IEC 17788
Cloud Computing - ISO/IEC 17788
 
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
Apache Sparkにおけるメモリ - アプリケーションを落とさないメモリ設計手法 -
 
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
データインターフェースとしてのHadoop ~HDFSとクラウドストレージと私~ (NTTデータ テクノロジーカンファレンス 2019 講演資料、2019...
 
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample ReportOSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
OSINT (Open Source Intelligence) Market - 2017 2022 - Sample Report
 
Apache Hiveの今とこれから
Apache Hiveの今とこれからApache Hiveの今とこれから
Apache Hiveの今とこれから
 
Yahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo! JAPANにおけるApache Cassandraへの取り組みYahoo! JAPANにおけるApache Cassandraへの取り組み
Yahoo! JAPANにおけるApache Cassandraへの取り組み
 
Big Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon GershinskyBig Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon Gershinsky
 
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
ちょっと理解に自信がないな という皆さまに贈るHadoop/Sparkのキホン (IBM Datapalooza Tokyo 2016講演資料)
 
Introduction to RDFa
Introduction to RDFaIntroduction to RDFa
Introduction to RDFa
 
Docker Forensics
Docker ForensicsDocker Forensics
Docker Forensics
 
VLDB2015 会議報告
VLDB2015 会議報告VLDB2015 会議報告
VLDB2015 会議報告
 

Similar to Hacktive Directory Forensics - HackCon18, Oslo

InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
RootedCON
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
Toni de la Fuente
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
from source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented datafrom source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented data
Eric Sammer
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
Yossi Sassi
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
HelpSystems
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Cody Thomas
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
Jared Atkinson
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchReal time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Ali Kheyrollahi
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
ajajkhan16
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
Daniel López Jiménez
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
UTD Computer Security Group
 
Fluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data ConclaveFluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data Conclave
fluturads
 

Similar to Hacktive Directory Forensics - HackCon18, Oslo (20)

InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
 
Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017Automate or die! Rootedcon 2017
Automate or die! Rootedcon 2017
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
from source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented datafrom source to solution - building a system for event-oriented data
from source to solution - building a system for event-oriented data
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020HAcktive Directory - Microsoft Meetup July 2020
HAcktive Directory - Microsoft Meetup July 2020
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in ElasticsearchReal time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
Real time monitoring-alerting: storing 2Tb of logs a day in Elasticsearch
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Understanding Active Directory Enumeration
Understanding Active Directory EnumerationUnderstanding Active Directory Enumeration
Understanding Active Directory Enumeration
 
Coporate Espionage
Coporate EspionageCoporate Espionage
Coporate Espionage
 
Fluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data ConclaveFluturas presentation @ Big Data Conclave
Fluturas presentation @ Big Data Conclave
 

Recently uploaded

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 

Recently uploaded (20)

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 

Hacktive Directory Forensics - HackCon18, Oslo

  • 1. hAcktive Directory Forensics: a toolkit for understanding who|what|when in your domain Yossi Sassi
  • 2. WhoAmI • InfoSec Researcher; H@‫כ‬k3r (1nTh35h311) • Red mind, Blue heart • Co-Founder @ • Consulting in 4 continents (Banks/gov/F100) • 30+ years of keyboard access – Code, IT Sec, Net Comms. • ~25 years of AD expertise; Ex-Javelin Networks (Acquired by Symantec) • Ex-Technology Group Manager @ Microsoft (Coded Windows Server Tools) • Aviator; Volunteer (Youth at risk); Oriental Rock Bouzoukitarist
  • 3. ChatGPT was Not used in the making of this presentation, code & content
  • 6. • ‘Hacktive Directory’ 101 • Sources of “Truth” in AD • A set of tools for Pre, During and Post AD Breach • Attributes of interest: Blue Team tips What we’ll talk about
  • 8. Why hack AD? Why is AD so ‘Hackable’? • a bit like what happened with TCP/IP… – Great success, super popular – …Yet architecture & design goals very far from modern landscape and threats • Involved in every huge breach (as well as smaller ones ☺) – Lion (2020), NTT (2020), Baltimore (2019), Norsk Hydro (2019), Singhealth (2018), MAERSK (2017), SONY (2014), Target (2013), many others.. • “The Microsoft Mainframe” – It’s not going away! • Compromising your AD means GAME OVER.
  • 9.
  • 10. Windows/AD 101 • AuthN protocols (NTLM, Kerberos, LDAP/S) and “Secrets” (Hashes/ntlm, Tickets, caching, certificates…) • Logon vs. Authentication (Local vs. Domain, logon types…) • Security Principals (Users, Computers, Groups) • Authorization / ACLs – going beyond group membership(s) • e.g. direct SID assignment, ObjectAccess types etc • Process, Threads, handles, access tokens, logon sessions etc’
  • 13.
  • 14.
  • 15. 15 Protocol and Port AD and AD DS Usage Type of traffic TCP 25 Replication SMTP TCP 42 If using WINS in a domain trust scenario offering NetBIOS resolution WINS TCP 135 Replication RPC, EPM TCP 137 NetBIOS Name resolution NetBIOS Name resolution TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMBv1/2/3, CIFS, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc TCP 9389 AD DS Web Services SOAP TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password UDP 123 Windows Time, Trusts Windows Time UDP 137 User and Computer Authentication NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy, NetBIOS Netlogon, Browsing DFSN, NetLogon, NetBIOS Datagram Service UDP 67 and UDP 2535 DHCP (Note: DHCP is not a core AD DS service, but these ports may be necessary for other functions besides DHCP, such as WDS) DHCP, MADCAP, PXE TCP & UDP 1024-5000; 49152-65535 Ongoing (RPC etc’) RPC / DCOM / WMI... TCP 593 DCOM/Messaging/Exchange RPC over HTTP
  • 16. “Confusing” architectural recommendations • 90’s (The NT4 days): The more Domains – the better! • NT4 to NT5 -> Your opportunity to Consolidate domains! • Domain is NOT a security boundary! –> Separate into Forests, with trusts. • Trusts are bad as well (one/bi-directional, FPs, SidFiltering, sidHistory…) • ESAE, aka “Red Forest” (Costly! & doesn’t play well with cloud) * • Admin Tier Model • Forget the costly & complex ‘Red Forest’ -> Privileged Access * Still useful for isolated environments, e.g., offline R&D or disconnected OT/Scada environments
  • 18. • Sysvol/Files vs. ETW/Event Logs vs. pcap/”hooks” • Possible Scenarios – – No logs (Not collected/Not enough retention/Wiped by ransom) – No Online DCs (encrypted/offline VMs -> Just backups…) • Still, we want to know who did what & when • NTDS.dit • replPropertyMetadata HacKtive Directory: Sources of “Truth”
  • 21. Where is this msds-Repl* ??!
  • 22. Wouldn’t it be nice…
  • 23.
  • 24.
  • 25. More Tools for Pre, During & Post AD Breach
  • 26. Get-LDAPperformance Identifying Unusual and/or Large LDAP Queries • Collects LDAP Query Performance Events and analyzes them to CSV & Grid (relays on event ID 1644) • Helps in identifying large or unusual LDAP queries, either for Threat Hunting or IT optimization • No Dependencies, No modules required. Requires ‘Event Log Readers’ permission or equivalent (to 'directory Services' log) • Some pre-requisites needed from AD side, enable relevant auditing and set registry key
  • 28.
  • 29. Domain Privilege Escalation Pass the hash, golden ticket etc.
  • 31. Golden Ticket = Game Over •krbtgt password hash compromise -> Privileged Persistence via Offline TGT forging •Krbtgt hash can be obtained in several ways: • Unauthorized AD Replication (DCSync/DCShadow) • Copy of AD Database or Backup (NTDS.dit + system registry) • Stolen from lsass/DC Memory (any RW DC, Not RODC) •Attack can occur in multiple ways & tools (e.g. mimikatz, with AES 256-bit hash, for 10 hours only etc’)
  • 32. Invoke-PostKrbtgtResetMonitor • Centralized detection of Golden Tickets via anomalous kerberos tickets detection AFTER resetting the krbtgt password TWICE • No Dependencies/modules. Requires ‘Event Log Readers’ or equivalent
  • 34. GoldFinger • Collects, Analyzes & Hunts for Suspicious TGTs • Detects suspicious TGTs on domain EndPoints in real-time • Potential Pass-The-Hash • Potential Golden ticket • No agent – works with WinRM or SMB (PaExec) • No dependencies, no external modules (just .ps1) • Research done to handle multiple anomalies • Logon Session User != Ticket Client Name <Strong indication>, Ticket Lifetime != Expected Lifetime <Default 10 hours>, Ticket Renewal Length != Expected Renewal Length <Default 7 days>, KDC called is empty, and DNSHostName is different than the current computer name, Encryption Type != aes256_cts_hmac_sha1_96 <rc4 is common for inter-forest/domain tickets>, Endcoded Ticket Size, Session Logon Type is CachedInterative <potential to some False Positive>, etc’
  • 35. GoldFinger (Cont.) •Requires Local Admin permissions on EndPoints •Supports running against different domains •Supports running on entire domain (default), or just a specific computer(s), or Exclude specific computer(s) •Can optionally enable PSRemoting (and try to start WinRM on EndPoints) •Fixes clock skew issues, while at it •.. And more ☺ • Collector script heavily based on work by Jared Atkinson (@jaredcatkinson) & Matthew Graeber (@mattifestation)
  • 38.
  • 39. Invoke-TgsMonitor • Monitor TGS requests (All, or just Failed ones, with Error Code reasons) • Useful during a live IR without other central threat hunting log solution, or in general, to monitor access & failure reasons • No Dependencies, no modules • Can also generate a 'real-time monitor' with a table containing the TGS events for a specific user or computer, or status/category: while ($true) {$x=cat .TGSMonitor.csv | ConvertFrom-Csv; cls;$x| ? account -like "*yossis*" | ft -AutoSize; sleep 1}
  • 41.
  • 43. Attributes of interest - Examples • Counter attributes: LogonCount, badPwdCount… • “Per DC” attributes, e.g. LastLogon • LogonWorkstations
  • 44. Why “living off the land” is important for Defenders
  • 45. “Small step for IT, Giant step against Lateral Movement” • No EDR • No segmentation • No firwewalls config • No MFA • All the misconfigurations you can think of … • No proper auditing/SIEM/SOC … and yet ☺
  • 47. TimeLineGenerator • AD account timeline generator - parse DC security logs & export activity timeline • Can run directly on Domain Controllers (Live, through WinRM), OR - specify Path to Evtx files • Can run a Full/Longer report, or a Focused/Quicker one, with a select set of events to filter. Default: "Focused-Quicker" • Can set the Max Events to fetch Per DC (limit to the last X events from the log, for performance). Default: gets all events
  • 50. Open Source Tools & Scripts HacktiveDirectory.com
  • 51. Key Takeaways • ‘Hacktive Directory’ is here to stay! In-depth knowledge is key • Invest in a “living off the land” mindset – a simple configuration can go further than few expensive vendor products ☺ • Understand the Sources of “Truth" in AD • ‘Hacktive Directory’ forensics are a part of a wider picture – Event correlation & Threat hunting with high-fidelity alerts • Practice a Before, During & After approach • Check out hacktivedirectory.com or github.com/YossiSassi for code & scripts - Comments and improvements are welcome!
  • 52. Everything is a set of nested ‘if’ statements